WhatsApp Phishing Campaign Unleashes Malware Storm

A malware attack targeted specifically at businesses and consumers who might use WhatsApp has been found unleashed in the wild.

According to the Comodo Antispam Labs (CASL) team, as part of a random phishing campaign, cyber-criminals are sending fake emails claiming to be delivering legitimate WhatsApp content; instead, the messages spread malware when the target clicks on the “message.”

The attachment contains a compressed (.zip) file, which houses a malware executable. The malware is a variant of the Nivdort family, which usually replicates itself into different system folders, adding itself into an auto-run in the computer’s registry.

WhatsApp is a Facebook-owned, multi-platform messaging service that offers chat and calling among users; they can also share photos and videos. The service has 700 million active users and claims 30 billion messages sent each day on the platform, making it a broad target.

But rather than take a scattershot approach to the opportunity, a series of savvy subject line lures are at the core of this campaign.

“Cybercriminals are becoming more and more like marketers—trying to use creative subject lines to have unsuspecting emails be clicked and opened to spread malware,” said Fatih Orhan, director of technology for Comodo and the CASL, in a blog.

Examples include:

• You have obtained a voice notification.

• An audio memo was missed.

• A brief audio recording has been delivered!

• A short vocal recording was obtained.

• A sound announcement has been received.

• You have a video announcement.

• A brief video note got delivered.

• You've recently got a vocal message.

Each subject ends with a set of random characters like ‘xgod’ or ‘Ydkpda’. These are probably used for encoding data or to identify the recipient.

The messages appear to be legit, because the perpetrators are making use of display name spoofing. When an email pops up, it shows that it was sent from an umbrella branding name, WhatsApp. But the actual "from" email address is clearly not from the company.